South Korean banks and broadcasters took phish bait in cyberattack

More details of the cyberattack on multiple banks and media companies in South Korea on Wednesday have emerged, suggesting that at least part of the attack was launched through a phishing campaign against employees of the companies. According to a report from Trend Micro's security lab, the "wiper" malware that struck at least six different companies was delivered disguised as a document in an e-mail.

The attachment was first noticed by e-mail scanners on March 18, the day before the attack was triggered. The e-mail was purportedly from a bank; Trend Micro's Deep Discovery threat scanning software recognized the message as coming from a host that had been used to distribute malware in the past.

The attachment, disguised as a document, was actually the installer for the "wiper" malware. It also carried PuTTY SSH and SCP clients, and a bash script designed to be used in an attack against Unix servers that the target machines had connection profiles for. When activated, the dropper attempted to create SSH sessions to Unix hosts with root privileges and erase key directories, as Ars reported yesterday.

It's still unclear if any damage was done to Unix systems, but the wiper disabled a number of PCs at the targeted companies. If the attack affected developers or webmasters at the companies, it's possible that Web servers were affected by the Unix SSH attack, bringing mobile and Web banking applications down. Nevertheless, it's unclear what the cause for the network interruptions that accompanied the malware attack were caused by at this time.

18 Reader Comments

This is a message from your barely legal HR representative. I have some pics of me frolicking around naked with a Brazilian beauty . I'd love to have your opinion. Please reply with your name and password to see the pics (and please do not let anyone else see them, lol)

Melissa

Name:Password:

=====

BEEEEP BEEEEP this was a test. If your brain turned off after the word naked you should not be allowed near a computer

Reminds me of that motivational poster, "maybe your only purpose in life is to serve as an example to others".Hopefully this will help a few people convince their management to.... okay I'm just dreaming there. Let's see who is next, copycats inbound!

I haven't kept up on the Korean Internet, but a few years ago, you had to install ActiveX controls for pretty much any website that required "security". With the result being that prompts to install ActiveX controls were an autoclick for everyone in the country. Unless that situation has changed, I would be surprised if it were not also exploited in this attack.

According to a report from Trend Micro's security lab, the "wiper" malware that struck at least six different companies was delivered disguised as a document in an e-mail.

Does anyone think that this vector (email, SMS, or other two-way communication) is ever going to change in the future of human civilization? Even if every single person in the world today learned to not trust unvetted documents, the next generation of employees will have have to see for themselves what happens when you take the bait. It will never end.

So with this in mind, why do people still think the cloud is the future? Online security breaches and data theft are all but guaranteed, and the world is paving a highway and providing the transportation to just come and get it. Good luck with the resulting cleanup and credit damage.

I haven't kept up on the Korean Internet, but a few years ago, you had to install ActiveX controls for pretty much any website that required "security". With the result being that prompts to install ActiveX controls were an autoclick for everyone in the country. Unless that situation has changed, I would be surprised if it were not also exploited in this attack.

I can confirm that it has not changed at all.

It's just that nowadays, non-IE browsers can now visit many of those sites that requires ActiveX... By being offered a Java-based plug-in due to the multi-browser support mandate.

Our IT dept sends out information emails on phishing all the time. A few weeks ago I got an email that looked 100% like a phishing email, but the header showed it was from IT. dorwarded it to the "reporting" email like we are supposed to, and put a note that if they want to try to test us, they should not use a @ourcompany.com email

Haha... the university I work for sent out their own phishing e-mail and then contacted each of the individuals who responded, letting them know that, were this a real situation, they would have been hacked. While it was an eye-opener for many, the faculty were... less than pleased. We send out e-mails twice a month--probably--that warn people about things like this, but whomever it was above that said, "the next generation of workers will have to figure out for themselves what happens", is absolutely right.

Haha... the university I work for sent out their own phishing e-mail and then contacted each of the individuals who responded, letting them know that, were this a real situation, they would have been hacked. While it was an eye-opener for many, the faculty were... less than pleased.

And it also has external costs. All that spam that chokes the Internet? Financed by gullible people who click the links and send money. Telemarketer calls? Financed by people who pick up and send money.

You and I suffer because idiots make shit like that financially viable.

Haha... the university I work for sent out their own phishing e-mail and then contacted each of the individuals who responded, letting them know that, were this a real situation, they would have been hacked. While it was an eye-opener for many, the faculty were... less than pleased. We send out e-mails twice a month--probably--that warn people about things like this, but whomever it was above that said, "the next generation of workers will have to figure out for themselves what happens", is absolutely right.

Yeah, members of the faculty are always the first ones go ballistic when something happens to their data but they're also the first ones to go ballistic when security measures are implemented to prevent that. Smart people it seems, but very unreasonable most of the time when computer security is concerned. They want to be safe, but they object to periodic password changes, VPN requirements, etc.

Haha... the university I work for sent out their own phishing e-mail and then contacted each of the individuals who responded, letting them know that, were this a real situation, they would have been hacked. While it was an eye-opener for many, the faculty were... less than pleased.

And it also has external costs. All that spam that chokes the Internet? Financed by gullible people who click the links and send money. Telemarketer calls? Financed by people who pick up and send money.

You and I suffer because idiots make shit like that financially viable.

I always thought a good solution was to send out spam for male enhancement products, and have them contain cyanide. That would eliminate the market for such spam in a few months.

Yeah, members of the faculty are always the first ones go ballistic when something happens to their data but they're also the first ones to go ballistic when security measures are implemented to prevent that. Smart people it seems, but very unreasonable most of the time when computer security is concerned. They want to be safe, but they object to periodic password changes, VPN requirements, etc.

Well, I can't completely fault the faculty here. Many of them are very good at what they do, but they're certainly not all Computing Science professors.

Also, university faculty can be vulnerable to attacks that the general public would not be. What if you had some kind of insider knowledge about a particular lab, and sent a high-quality phishing email that looked like it was concerning something that's currently going on in the lab? I know most phishing operations are far less targeted, but there could be huge potential in this kind of thing.

Keep in mind, too, that some of this data is EXTREMELY sensitive. For example, one of the projects I'm working on deals with hyperspectral images of ore samples taken from a certain company's oil fields. If someone less scrupulous were to get their hands on this data, our sponsor's competitors would probably be VERY interested in purchasing it. In other cases, there may be data that must be kept secure because it contains confidential information, such as patient records and radiological data.

At any rate, its good that the university is taking steps to curb phishing, but ultimately the responsibility lies on them, as they own the data (via work for hire).

And it also has external costs. All that spam that chokes the Internet? Financed by gullible people who click the links and send money. Telemarketer calls? Financed by people who pick up and send money.

You and I suffer because idiots make shit like that financially viable.

I suspect the people sending money suffer more than we do. I'll take the spam and telemarketers over paying the price of being an idiot.

"Trend Micro's Deep Discovery threat scanning software recognized the message as coming from a host that had been used to distribute malware in the past."

Their threat scanning software must be better than what they sell small/medium business; I'd call Trend Micro OfficeScan and Worry-Free Business Security (have used both) pretty much C-grade in detection and removal, and the management UIs are clunky.

Sean Gallagher / Sean is Ars Technica's IT Editor. A former Navy officer, systems administrator, and network systems integrator with 20 years of IT journalism experience, he lives and works in Baltimore, Maryland.